KDC performance test - lookaside cache impact, testing framework
Sam Hartman
hartmans at MIT.EDU
Thu Jun 21 12:59:34 EDT 2012
>>>>> "Greg" == Greg Hudson <ghudson at MIT.EDU> writes:
Greg> (On the client end, we'd like to make libkrb5 "stick" to the KDC address
Greg> which generated the preauth-required response. That's a bit of a
Greg> technical challenge. It also doesn't help when there are network load
Greg> balancers or KDC worker processes involved.)
I'll note that in the development of RFC 6113 a solution like this was
proposed in krb-wg. Larry had fairly strong objections to moving in that
direction. I never understood his objections well enough to articulate
them.
I'm nervous about the idea of mostly having KDC afinity. The current
approach makes the life of server preauth method designers harder, but
is reasonably robust because if you don't consider what happens when you
get a different KDC, things won't work in practice.
If we generally but not always have KDC afinity, I think it will
introduce robustness issues because it will be very easy to design
methods that work in the common case.
Performance issues may justify this, but it certainly does make me
nervous.
More information about the krbdev
mailing list